Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Upgrade minimist to >=1.2.3 for Angular < v9, CLI and DevKit
See original GitHub issueThe following vulnerability has been marked in minimist < 1.2.3: https://npmjs.com/advisories/1179
The package is used through:
@angular-devkit/build-angular@angular/cli@angular/compiler-cli
npm audit is offering npm install --save-dev @angular/compiler-cli@9.0.6 as a manual fix. However, upgrading to Angular v9 isn’t possible for my apps right now.
Is it possible to get a backport for v8 please?
Relevant package.json details:
"dependencies": {
"@angular/animations": "~8.2.4",
"@angular/cdk": "^8.2.3",
"@angular/common": "~8.2.4",
"@angular/compiler": "~8.2.4",
"@angular/core": "~8.2.4",
"@angular/forms": "~8.2.4",
"@angular/material": "^8.2.3",
"@angular/material-moment-adapter": "^8.2.3",
"@angular/platform-browser": "~8.2.4",
"@angular/platform-browser-dynamic": "~8.2.4",
"@angular/router": "~8.2.4",
"rxjs": "~6.4.0",
"tslib": "^1.10.0",
"zone.js": "~0.9.1"
},
"devDependencies": {
"@angular-devkit/build-angular": "^0.803.23",
"@angular/cli": "^8.3.21",
"@angular/compiler-cli": "~8.2.4",
"@angular/language-service": "~8.2.4",
"@types/jasmine": "~3.3.8",
"@types/jasminewd2": "~2.0.3",
"@types/node": "~8.9.4",
"codelyzer": "^5.0.0",
"jasmine-core": "~3.4.0",
"jasmine-spec-reporter": "~4.2.1",
"karma": "^4.4.1",
"karma-chrome-launcher": "~2.2.0",
"karma-coverage-istanbul-reporter": "~2.0.1",
"karma-jasmine": "~2.0.1",
"karma-jasmine-html-reporter": "^1.4.0",
"maketypes": "^1.1.2",
"protractor": "~5.4.0",
"rxjs-tslint-rules": "^4.26.3",
"ts-node": "~7.0.0",
"tslint": "~5.15.0",
"typescript": "~3.5.3"
},
Expand for audit info from `npm audit --json`:
{
"actions": [
{
"isMajor": true,
"action": "install",
"resolves": [
{
"id": 1179,
"path": "ts-node>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
}
],
"module": "ts-node",
"target": "8.7.0"
},
{
"isMajor": true,
"action": "install",
"resolves": [
{
"id": 1179,
"path": "@angular/compiler-cli>chokidar>fsevents>node-pre-gyp>mkdirp>minimist",
"dev": true,
"optional": true,
"bundled": true
},
{
"id": 1179,
"path": "@angular/compiler-cli>chokidar>fsevents>node-pre-gyp>tar>mkdirp>minimist",
"dev": true,
"optional": true,
"bundled": true
},
{
"id": 1179,
"path": "@angular/compiler-cli>chokidar>fsevents>node-pre-gyp>rc>minimist",
"dev": true,
"optional": true,
"bundled": true
}
],
"module": "@angular/compiler-cli",
"target": "9.0.6"
},
{
"action": "review",
"module": "minimist",
"resolves": [
{
"id": 1179,
"path": "@angular-devkit/build-angular>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>terser-webpack-plugin>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack>terser-webpack-plugin>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>make-fetch-happen>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>make-fetch-happen>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>terser-webpack-plugin>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack>terser-webpack-plugin>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>copy-webpack-plugin>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>terser-webpack-plugin>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack>terser-webpack-plugin>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>make-fetch-happen>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>make-fetch-happen>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>copy-webpack-plugin>cacache>move-concurrently>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>copy-webpack-plugin>cacache>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>less>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>stylus>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack-dev-middleware>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack-dev-server>webpack-dev-middleware>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack-dev-server>portfinder>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>@schematics/update>pacote>tar>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular/cli>pacote>tar>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "tslint>mkdirp>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack>watchpack>chokidar>fsevents>node-pre-gyp>mkdirp>minimist",
"dev": true,
"optional": true,
"bundled": true
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack>watchpack>chokidar>fsevents>node-pre-gyp>tar>mkdirp>minimist",
"dev": true,
"optional": true,
"bundled": true
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack>watchpack>chokidar>fsevents>node-pre-gyp>rc>minimist",
"dev": true,
"optional": true,
"bundled": true
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack-dev-server>chokidar>fsevents>node-pre-gyp>mkdirp>minimist",
"dev": true,
"optional": true,
"bundled": true
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack-dev-server>chokidar>fsevents>node-pre-gyp>tar>mkdirp>minimist",
"dev": true,
"optional": true,
"bundled": true
},
{
"id": 1179,
"path": "@angular-devkit/build-angular>webpack-dev-server>chokidar>fsevents>node-pre-gyp>rc>minimist",
"dev": true,
"optional": true,
"bundled": true
},
{
"id": 1179,
"path": "karma>optimist>minimist",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1179,
"path": "protractor>optimist>minimist",
"dev": true,
"optional": false,
"bundled": false
}
]
}
],
"advisories": {
"1179": {
"findings": [
{
"version": "0.0.8",
"paths": [
"@angular-devkit/build-angular>cacache>mkdirp>minimist",
"@angular-devkit/build-angular>terser-webpack-plugin>cacache>mkdirp>minimist",
"@angular-devkit/build-angular>webpack>terser-webpack-plugin>cacache>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>cacache>mkdirp>minimist",
"@angular/cli>pacote>cacache>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>make-fetch-happen>cacache>mkdirp>minimist",
"@angular/cli>pacote>make-fetch-happen>cacache>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>cacache>mkdirp>minimist",
"@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>mkdirp>minimist",
"@angular-devkit/build-angular>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular-devkit/build-angular>terser-webpack-plugin>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular-devkit/build-angular>webpack>terser-webpack-plugin>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular/cli>pacote>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular/cli>pacote>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular-devkit/build-angular>copy-webpack-plugin>cacache>move-concurrently>copy-concurrently>mkdirp>minimist",
"@angular-devkit/build-angular>cacache>move-concurrently>mkdirp>minimist",
"@angular-devkit/build-angular>terser-webpack-plugin>cacache>move-concurrently>mkdirp>minimist",
"@angular-devkit/build-angular>webpack>terser-webpack-plugin>cacache>move-concurrently>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>cacache>move-concurrently>mkdirp>minimist",
"@angular/cli>pacote>cacache>move-concurrently>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>make-fetch-happen>cacache>move-concurrently>mkdirp>minimist",
"@angular/cli>pacote>make-fetch-happen>cacache>move-concurrently>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>cacache>move-concurrently>mkdirp>minimist",
"@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>move-concurrently>mkdirp>minimist",
"@angular-devkit/build-angular>copy-webpack-plugin>cacache>move-concurrently>mkdirp>minimist",
"@angular-devkit/build-angular>copy-webpack-plugin>cacache>mkdirp>minimist",
"@angular-devkit/build-angular>less>mkdirp>minimist",
"@angular-devkit/build-angular>stylus>mkdirp>minimist",
"@angular-devkit/build-angular>webpack>mkdirp>minimist",
"@angular-devkit/build-angular>webpack-dev-middleware>mkdirp>minimist",
"@angular-devkit/build-angular>webpack-dev-server>webpack-dev-middleware>mkdirp>minimist",
"@angular-devkit/build-angular>webpack-dev-server>portfinder>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>mkdirp>minimist",
"@angular/cli>pacote>mkdirp>minimist",
"@angular/cli>@schematics/update>pacote>tar>mkdirp>minimist",
"@angular/cli>pacote>tar>mkdirp>minimist",
"ts-node>mkdirp>minimist",
"tslint>mkdirp>minimist"
]
},
{
"version": "0.0.8",
"paths": [
"@angular-devkit/build-angular>webpack>watchpack>chokidar>fsevents>node-pre-gyp>mkdirp>minimist",
"@angular-devkit/build-angular>webpack>watchpack>chokidar>fsevents>node-pre-gyp>tar>mkdirp>minimist"
]
},
{
"version": "1.2.0",
"paths": [
"@angular-devkit/build-angular>webpack>watchpack>chokidar>fsevents>node-pre-gyp>rc>minimist"
]
},
{
"version": "0.0.8",
"paths": [
"@angular-devkit/build-angular>webpack-dev-server>chokidar>fsevents>node-pre-gyp>mkdirp>minimist",
"@angular-devkit/build-angular>webpack-dev-server>chokidar>fsevents>node-pre-gyp>tar>mkdirp>minimist"
]
},
{
"version": "1.2.0",
"paths": [
"@angular-devkit/build-angular>webpack-dev-server>chokidar>fsevents>node-pre-gyp>rc>minimist"
]
},
{
"version": "0.0.8",
"paths": [
"@angular/compiler-cli>chokidar>fsevents>node-pre-gyp>mkdirp>minimist",
"@angular/compiler-cli>chokidar>fsevents>node-pre-gyp>tar>mkdirp>minimist"
]
},
{
"version": "1.2.0",
"paths": [
"@angular/compiler-cli>chokidar>fsevents>node-pre-gyp>rc>minimist"
]
},
{
"version": "0.0.10",
"paths": [
"karma>optimist>minimist",
"protractor>optimist>minimist"
]
}
],
"id": 1179,
"created": "2019-09-23T15:01:43.049Z",
"updated": "2020-03-17T14:28:36.298Z",
"deleted": null,
"title": "Prototype Pollution",
"found_by": {
"link": "https://www.checkmarx.com/resources/blog/",
"name": "Checkmarx Research Team",
"email": ""
},
"reported_by": {
"link": "https://www.checkmarx.com/resources/blog/",
"name": "Checkmarx Research Team",
"email": ""
},
"module_name": "minimist",
"cves": [],
"vulnerable_versions": "<1.2.3",
"patched_versions": ">=1.2.3",
"overview": "Versions of `minimist` prior to 1.2.3 are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application. This is exploitable if attackers have control over the arguments being passed to `minimist`.\n",
"recommendation": "Upgrade to version 1.2.3 or later.",
"references": "",
"access": "public",
"severity": "moderate",
"cwe": "CWE-471",
"metadata": {
"module_type": "",
"exploitability": 2,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/1179"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 53,
"high": 0,
"critical": 0
},
"dependencies": 55,
"devDependencies": 16915,
"optionalDependencies": 307,
"totalDependencies": 16971
},
"runId": "5d8a80c9-aa1c-4ee5-a685-05728b8d67b0"
}
Issue Analytics
- State:
- Created 4 years ago
- Reactions:9
- Comments:9 (2 by maintainers)
Top Results From Across the Web
Difficulty updating minimist with Angular 9 - Stack Overflow
This is great question. I do this to fix the vulnerability issue. Add this in package.json like last entry after devDependencies;
Read more >Vulnerability report for hmcts/ccd-case-ui-toolkit - Snyk
Remediation: Upgrade to @angular/cli@8.3.29. Introduced through: @hmcts/ccd-case-ui-toolkit@hmcts/ccd-case-ui-toolkit ...
Read more >ng update - Angular
Description. Perform a basic update to the current stable release of the core framework and CLI by running the following command.
Read more >Compare Versions | tnp-models | npm - Open Source Insights
remove. minimist 0.0.10. GHSA-vh95-rmgr-6w4mPrototype Pollution in minimist ... @angular-devkit/schematics 9.0.0-rc.7 ... cli-highlight 1.2.3.
Read more >Open Source Disclosure
@angular‑devkit/architect 0.803.5 MIT
@angular‑devkit/build‑angular 0.803.5 MIT
@angular‑devkit/build‑ng‑packagr 0.803.5 MIT
@angular‑devkit/build‑optimizer 0.803.5 MIT
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
if you add the following below browserlist in package.json:
"resolutions": { "minimist": "^1.2.3" }then delete node_modules and run
npx npm-force-resolutions && npm installit will resolve the issueThis does not affect deployed Angular applications, it is only relevant to the tooling for doing compilation which should never be deployed in your application.
Moreover the advisory states:
Note that compiler-cli only uses minimist to parse command line arguments for
ngcandng-xi18n. So unless you are allowing malicious 3rd parties to run these utilities with arbitrary command line arguments on your servers then this vulnerability has no impact on the Angular tooling.The Angular CLI may have different use of this library but the same comment above about command line usage applies.